mirror of https://github.com/torvalds/linux.git
60085c3d00
The code in set_orig_addr() does not initialize all of the members of struct sockaddr_tipc when filling the sockaddr info -- namely the union is only partly filled. This will make recv_msg() and recv_stream() -- the only users of this function -- leak kernel stack memory as the msg_name member is a local variable in net/socket.c. Additionally to that both recv_msg() and recv_stream() fail to update the msg_namelen member to 0 while otherwise returning with 0, i.e. "success". This is the case for, e.g., non-blocking sockets. This will lead to a 128 byte kernel stack leak in net/socket.c. Fix the first issue by initializing the memory of the union with memset(0). Fix the second one by setting msg_namelen to 0 early as it will be updated later if we're going to fill the msg_name member. Cc: Jon Maloy <jon.maloy@ericsson.com> Cc: Allan Stephens <allan.stephens@windriver.com> Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| addr.c | ||
| addr.h | ||
| bcast.c | ||
| bcast.h | ||
| bearer.c | ||
| bearer.h | ||
| config.c | ||
| config.h | ||
| core.c | ||
| core.h | ||
| discover.c | ||
| discover.h | ||
| eth_media.c | ||
| handler.c | ||
| link.c | ||
| link.h | ||
| log.c | ||
| msg.c | ||
| msg.h | ||
| name_distr.c | ||
| name_distr.h | ||
| name_table.c | ||
| name_table.h | ||
| net.c | ||
| net.h | ||
| netlink.c | ||
| node.c | ||
| node.h | ||
| node_subscr.c | ||
| node_subscr.h | ||
| port.c | ||
| port.h | ||
| ref.c | ||
| ref.h | ||
| socket.c | ||
| subscr.c | ||
| subscr.h | ||